b'  Board of Governors of the Federal Reserve System\n\n\n\n\nREPORT ON THE AUDIT OF THE BOARD\xe2\x80\x99S\n INFORMATION SECURITY PROGRAM\n\n\n\n\n    OFFICE OF INSPECTOR GENERAL\n\n\n                                             September 2008\n\x0c\x0c                                       September 30, 2008\n\n\nBoard of Governors of the Federal Reserve System\nWashington, DC 20551\n\nDear Members of the Board:\n\n      The Office of Inspector General is pleased to present its Report on the Audit of the Board\xe2\x80\x99s\nInformation Security Program. We performed this audit pursuant to requirements in the Federal\nInformation Security Management Act (FISMA), Title III, Public Law 107-347 (December 17,\n2002), which requires each agency Inspector General (IG) to conduct an annual independent\nevaluation of the agency\xe2\x80\x99s information security program and practices. Our specific audit\nobjectives, based on the legislation\xe2\x80\x99s requirements, were to evaluate the effectiveness of security\ncontrols and techniques for selected information systems and to evaluate compliance by the\nBoard of Governors of the Federal Reserve System (Board) with FISMA and related information\nsecurity policies, procedures, standards, and guidelines. We conducted our audit from May\nthrough September 2008 in accordance with generally accepted government auditing standards.\n\n      To evaluate security controls and techniques, we review controls over Board applications\non an ongoing basis. During the past year, we issued security control review reports for three of\nthe Board\xe2\x80\x99s major applications: a bundle of subsystems referred to as the EGov Systems, the\nFederal Reserve Integrated Records Management Architecture (FIRMA), and the Currency\nOrdering System (COS). We also issued a report on the controls of two third-party applications\noperated by the Federal Reserve Bank of Boston in support of the Board\xe2\x80\x99s supervision and\nregulation function. Our control tests identified areas where controls need to be strengthened.\nGiven the sensitivity of the issues involved with these reviews, we provided the specific results\nto management in separate restricted reports. We performed our application control testing\nbased on selected controls identified in the National Institute of Standards and Technology\n(NIST) Special Publication 800-53, Revision 2, Recommended Security Controls for Federal\nInformation Systems (SP 800-53). The controls are divided into \xe2\x80\x9cfamilies\xe2\x80\x9d (such as access\ncontrols, risk assessment, and personnel security) and include controls that can be categorized as\nsystem-specific or common (that is, applicable across agency systems). Consequently, although\nour focus was on evaluating specific applications, we also assessed some of the broader security\ncontrols that affect most, if not all, of the applications.\n\x0cMembers of the Board                            2 of 21                        September 30, 2008\n\n\n\n      In March 2008, we issued a restricted report on these common security controls that\nidentified opportunities for the Board\xe2\x80\x99s Chief Information Officer (CIO) to enhance and enforce\nexisting policies and procedures, and to provide additional guidance that would assist system\nowners in implementing security controls under the Board\xe2\x80\x99s security program. We also followed\nup on open recommendations from prior security control reviews.\n\n      To evaluate the Board\xe2\x80\x99s compliance with FISMA and related policies and procedures, we\nreviewed components of the Board\xe2\x80\x99s certification and accreditation (C&A) process, including\nrisk assessments, security plans, and security assessments. As part of the agency\xe2\x80\x99s annual\nFISMA reporting, the Office of Management and Budget (OMB) requests a specific response\nfrom both the agency and the OIG on certain security-related processes. Our work included\nanalyzing the Board\xe2\x80\x99s security-related processes for security awareness and training, remedial\naction monitoring, incident response, configuration management, controls over personally\nidentifiable information (PII), and privacy impact assessments (PIA). Our response will be\nprovided to OMB by the Chairman under separate cover.\n\n      Our prior annual FISMA audits of the Board\xe2\x80\x99s information security program contained\nrecommendations focused on bringing the Board\xe2\x80\x99s program into compliance with FISMA and\nNIST requirements. In our 2007 Report on the Audit of the Board\xe2\x80\x99s Information Security\nProgram, we noted the Board had made progress toward implementing a structured information\nsecurity program as outlined by FISMA. At the time of our report in 2007, we concluded that\nthe primary challenge going forward was for the Board\xe2\x80\x99s CIO and Information Security Officer\n(ISO) to ensure that all aspects of the revised information security program were fully and\nconsistently implemented across the systems supporting divisions and offices\xe2\x80\x94as well as for\nthird-party applications supporting Board programs and operations\xe2\x80\x94and that controls were\nimplemented correctly, working as intended, and producing the desired results.\n\n      The Board continues to advance and improve its information security program. During\n2008, the Board enhanced its annual security awareness training and its processes for tracking\nsecurity-related issues and initiatives. It also certified and accredited minor applications and\nsubsystems by bundling the systems under the security plans of (1) a GSS; (2) a major\napplication that provides a significant portion of its security control requirements; or (3) other\nminor applications to form a single major application. We found that the Board\xe2\x80\x99s inventory has\nremained stable from 2007, and that the bundling of minor applications and subsystems is a\nreasonable approach to implement the Board\xe2\x80\x99s security program.\n\n     During 2008, the ISO continued to update the Board\xe2\x80\x99s security program and related\nguidance to maintain a FISMA-compliant approach to managing and evaluating each Board\ninformation system throughout its lifecycle. As shown in Figure 1, the Board has established\nprocesses throughout the system lifecycle to lead to the certification and accreditation (C&A) of\nthe Board\xe2\x80\x99s major applications and General Support Systems (GSS).\n\x0cMembers of the Board                                  3 of 21                                 September 30, 2008\n\n\nFigure 1. Board\xe2\x80\x99s IT Security Framework for the Information System Security Lifecycle1\n\n\n\n\n      However, our review of the certification and accreditation of major applications and the\nGSS supported by the Division of Information Technology (IT GSS), the Board\xe2\x80\x99s central GSS,\nidentified opportunities for the Board to improve its risk assessment process and security\nassessment testing. We found that the risk assessments can be improved to explicitly identify the\nresidual risk remaining after implementing minimum baseline controls. We also found that the\nsecurity assessments performed as part of the C&A process need to be strengthened to include\nnecessary and sufficient independent testing to provide the system owners with assurance that\ninformation security controls for these systems are effectively implemented and functioning as\nintended. Our report contains two recommendations to the CIO designed to ensure that (1) risk\nassessments adequately identify, evaluate, and document the level of risk to an information\nsystem based on potential threats, vulnerabilities, and currently implemented or planned controls,\n1\n       Each process in the lifecycle builds on the previous process, and any deficiency in one process will affect\nsubsequent processes. For example, if the risk assessment does not adequately evaluate the level of residual risks\nremaining after the baseline controls are implemented, additional controls will not be identified as needed to lower\nthe residual risk to an acceptable level, the security plan will not adequately describe how the risk is being\naddressed, and the security assessment will not provide the necessary assurances that the system is meeting its\nsecurity requirements.\n\x0cMembers of the Board                           4 of 21                       September 30, 2008\n\n\nto determine if additional controls are needed; and (2) security assessments include necessary\nand sufficient independent testing to support the authorization for the system to operate, and\nprovide the authorizing official and the Board assurances that information security controls for\nthese systems are implemented correctly, working as intended, and producing the desired results.\nAppendix 1 contains our analysis of the Board\xe2\x80\x99s progress in implementing key FISMA\nrequirements.\n\n        We provided our draft report for review and comment to the director of the Division of\nInformation Technology (IT), in her capacity as the Chief Information Officer for FISMA. Her\nresponse is included as appendix 2. In her response, the director concurred with our\nrecommendations. We will follow up on actions taken regarding our recommendations as part of\nfuture audit and evaluation work related to information security.\n\n      The principal contributors to this report are listed in appendix 3. We are providing copies\nof this audit report to Board management officials. In addition, the Chairman will provide the\nreport to the director of OMB, as required by FISMA. The report will be added to our publicly-\navailable web site and will be summarized in our next semiannual report to the Congress. Please\ncontact me if you would like to discuss the audit report or any related issues.\n\n                                           Sincerely,\n\n                                            /signed/\n\n                                     Elizabeth A. Coleman\n                                       Inspector General\n\nAttachments\n\ncc:   Mr. Stephen Malphrus\n      Ms. Maureen Hannan\n      Mr. Geary Cunningham\n      Mr. Raymond Romero\n\x0cAPPENDIXES\n\x0c\x0c                                                                                                 APPENDIX 1\n\n\nAppendix 1 \xe2\x80\x93 OIG Analysis of the Board\xe2\x80\x99s Progress in Implementing Key\n             FISMA Requirements\n\nPolicies and Procedures\n\n          Requirement:\n                Information security policy is an essential component of an information security\n                program. An agency\xe2\x80\x99s information security policies should be based on a\n                combination of relevant legislation, such as FISMA; applicable standards, such as\n                NIST Federal Information Processing Standards (FIPS) and guidance; and\n                internal agency requirements. Supporting guidance and procedures on how to\n                implement specific controls effectively across the enterprise should be developed\n                to augment an agency\xe2\x80\x99s security policy. To ensure that information security does\n                not become obsolete, agencies should implement a review and revision process\n                for its policies and procedures.\n\n          Progress to Date:\n                The ISO and his staff have completed a significant amount of work over the past\n                few years to develop a security program that complies with NIST requirements.\n                During the past year, the ISO has continued to enhance the security program to\n                reflect changes in how the Board accounts for information assets, tracks the\n                security compliance status of each system, and continues to develop policy and\n                procedures for safeguarding personally identifiable information. To assist system\n                owners in bundling minor applications and subsystems into the security plan of a\n                major application or GSS that provides a significant portion of its security control\n                requirements, the ISO developed an inventory guide that includes a decision tree\n                for determining how the system should be included in the inventory. The ISO\n                also updated the control baseline with instructions for subsystems, enhanced the\n                risk assessment guide to reflect new system types, and developed a Bundled\n                Subsystem Security Plan template.\n\n                 In addition, the Board continues to develop policy and procedures for\n                 safeguarding PII. In the past year, the Board issued two new management\n                 policies that address privacy and information security issues. The \xe2\x80\x9cPolicy for\n                 Handling Personally Identifiable Information\xe2\x80\x9d defines personally identifiable\n                 information and how to handle it at the Board; the updated \xe2\x80\x9cData-Breach-\n                 Notification Policy and Plan\xe2\x80\x9d outlines the procedures that are to be followed if a\n                 loss of personally identifiable information occurs. The ISO has also issued a\n                 Mobile Code Policy, and a Media Disposal and Sanitation Policy that describe the\n                 process that the Board uses to sanitize and dispose of digital media that is not\n                 otherwise subject to particular restrictions. 2\n\n      2\n         Mobile Code, also known as Active Content, is defined as small pieces of software or program code that are\nautomatically downloaded onto and executed on a user\xe2\x80\x99s PC, possibly without the explicit installation or execution\nby the recipient.\n\n\n\n                                                     7 of 21\n\x0c             The IT security staff continues to conduct training for system owners and\n             developers. The 2008 FISMA training consisted of sessions focused on the\n             improvements and changes from last year\xe2\x80\x99s documents, addressing bundled\n             subsystems. For those staff who were new to FISMA, an additional session was\n             held to provide a step-by-step walk-through of how to complete FISMA\n             documents for a sample system.\n\n      Work to Be Done:\n            An agency will always need to update and refine its information security program\n            and the related policies and procedures as the program evolves and as NIST and\n            OMB issue new guidance. To achieve this objective, agencies should implement\n            a review and revision process for their policies and procedures to ensure that\n            information security does not become obsolete and that the policies and\n            procedures are working effectively to produce the desired results. While the\n            Board does not have a formal review and revision process, we found that the\n            Board has responded appropriately when OMB and NIST have issued changes to\n            FISMA requirements. We will continue to review the need for additional\n            guidance as part of our ongoing work related to information security.\n\nApplication Inventory\n\n      Requirement:\n            FISMA requires the head of each agency to develop and maintain an inventory of\n            major information systems operated by or under the control of the agency. The\n            inventory forms the basis for meeting the FISMA periodic testing requirement\n            and should identify interfaces between each system and other systems or\n            networks. The inventory should also identify system criticality and risk levels.\n            OMB expects agencies to have an inventory that is based on work completed in\n            developing an enterprise architecture.\n\n      Progress to Date:\n            The Board\xe2\x80\x99s FISMA inventory has remained stable over the past year, but the\n            Board continues to refine how it accounts for the certification and accreditation of\n            minor applications and subsystems. During the past year, the Board has focused\n            on bundling minor applications and subsystems into the security plans of either a\n            GSS, a major application that provides a significant portion of its security control\n            requirements, or other minor applications to form a single major application.\n            According to the Board, bundling is a common practice and is encouraged to\n            minimize the redundancy of security plan documentation. To bundle an\n            application into a GSS under Board criteria, the application must have an impact\n            rating of low or moderate, and the system owners must have reviewed the system-\n            specific baseline of controls for the application and have documented in the risk\n            assessment that the application relies only on the IT GSS for its non-system\n            specific security controls (the system cannot rely on more than one GSS for its\n            controls). We reviewed the rationale for bundling the minor applications into a\n\n\n\n\n                                           8 of 21\n\x0c                 major application and determined that it was a reasonable approach to implement\n                 the Board\xe2\x80\x99s security program.\n\n                 Our 2005 FISMA report recommended that the Board identify all information and\n                 information systems supporting its operations and assets, including those at\n                 Reserve Banks and other third parties, and ensure full and timely compliance with\n                 FISMA\xe2\x80\x99s legislative requirements and related information security policy and\n                 guidance. We did not close the recommendation in 2006 or 2007 because the\n                 Board still had work remaining to fully implement the Board\xe2\x80\x99s security program\n                 requirements for all systems on the inventory.3 Subsequently, the Board has\n                 certified and accredited the IT GSS and major applications; in our opinion, this is\n                 sufficient action to close this recommendation. However, as discussed below, we\n                 believe that the Board can improve its risk assessment process and security\n                 assessment testing.\n\n          Work to Be Done:\n                Going forward, as new minor applications and subsystems are bundled into a\n                GSS, the ISO will also need to ensure that controls are properly documented,\n                implemented, and tested to provide the appropriate level of security. As the ISO\n                continues to review the inventory and further implement the bundling guidance,\n                we will evaluate the appropriateness of any revisions to the Board\xe2\x80\x99s application\n                inventory.\n\n                 As we reported last year, our 2005 information security audit report also\n                 contained a recommendation that the Board establish full-time, independent CIO\n                 and ISO positions that have the authority to direct and enforce FISMA\n                 compliance for all information and information systems that support Board\n                 operations and assets, including those provided by the Reserve Banks and other\n                 third parties. In responding to our recommendation, the Board\xe2\x80\x99s previous CIO for\n                 FISMA stated that the Board will continue to evaluate and make changes as\n                 appropriate to the organizational structure in light of the final inventory and any\n                 additional direction from OMB. Although the Board has finalized its inventory\n                 and has implemented components of its security program for systems maintained\n                 within the Board, our security control reviews have identified that the CIO and\n                 ISO need to ensure that system owners are clearly identifying system boundaries,\n                 and assessing the risk of relying on controls provided by entities that have not\n                 been certified or accredited in accordance with the Board\xe2\x80\x99s security program. We\n                 will continue to hold this recommendation open until the CIO has demonstrated\n                 the authority to fully implement the Board\xe2\x80\x99s security program for all information\n                 systems that support Board operations and assets, including those provided by the\n                 Reserve Banks and other third parties.\n\n\n      3\n        See the following OIG reports: Audit of the Board\xe2\x80\x99s Information Security Program, dated October 2005;\nAudit of the Board\xe2\x80\x99s Information Security Program, dated September 2006; and Audit of the Board\xe2\x80\x99s Information\nSecurity Program, dated September 2007.\n\n\n\n                                                    9 of 21\n\x0cPeriodic Risk Assessments\n\n      Requirement:\n            FISMA requires periodic assessments of the risk and magnitude of the harm that\n            could result from the unauthorized access, use, disclosure, disruption,\n            modification, or destruction of information and information systems that support\n            the operations and assets of the agency.\n\n      Progress to Date:\n            The Board has developed a FISMA-compliant certification and accreditation\n            process that requires system owners to determine the security categorization and\n            impact rating of their system; apply minimum or a baseline set of NIST controls;\n            perform a risk assessment to determine what residual risks remain after the\n            baseline controls are implemented; and develop a security plan based on the\n            complete set of controls needed.\n\n             To assist system owners, the ISO has issued guidance, including a standard\n             template, and developed a set of minimum controls baseline that includes controls\n             required by NIST Special Publication 800-53. The baseline identifies where the\n             control is to be implemented (by the system or GSS), and the ISO provides\n             information for the IT GSS controls and a template for use in documenting system\n             specific controls. For major applications and stand-alone minor applications, the\n             risk assessment consists of system owners documenting how the system specific\n             controls are met and ensuring that the information on the IT GSS controls remains\n             accurate, making revisions where necessary. For bundled subsystems, system\n             owners are to review the information provided for the IT GSS and for any control\n             that has not been documented, and provide the appropriate information or\n             justification for the unique system controls in the bundled subsystem security\n             plan. We judgmentally selected seven subsystems bundled into the IT GSS and\n             verified that each had a risk assessment and a bundled subsystem security plan\n             completed. The security plan included an assertion by the system owner that the\n             security controls provided by the GSS had been reviewed.\n\n      Work to be done:\n            As part of our review of the Board\xe2\x80\x99s C&A process, we reviewed a sample of ten\n            major applications that had been certified and accredited to operate between June\n            2007 and March 2008. We found that each application applied the minimum or\n            baseline set of NIST controls and had completed a risk assessment template.\n            However, we found no documentation or evidence that system owners are fully\n            complying with the Board\xe2\x80\x99s risk assessment process and identifying the residual\n            risk that remains after implementing the minimum set of controls defined in the\n            Board\xe2\x80\x99s security control baseline. System owners are documenting that their\n            system is meeting the minimum controls, but the security control baselines are not\n            designed to protect against all threats. A comprehensive risk assessment should\n            explicitly address the system owner\xe2\x80\x99s analysis of potential system vulnerabilities\n            and demonstrate a thorough understanding of any associated risk. We believe that\n\n\n\n                                          10 of 21\n\x0c             the CIO needs to ensure that risk assessments are adequately identifying,\n             evaluating, and documenting the level of risk to an information system based on\n             potential threats, vulnerabilities and currently implemented or planned controls, to\n             determine whether additional controls are needed.\n\n             Based on recommendations from our security control reviews, the ISO agreed to\n             update the Risk Assessment Guide for Board Information Systems with additional\n             guidance to ensure that system owners more effectively identify system\n             boundaries and more fully address additional risks that may result when\n             interconnections to other systems are established. The ISO will also perform a\n             common risk assessment addressing Reserve Bank direct access to Board\n             Systems. We will continue to review implementation of the risk assessment\n             process as part of our future application security control reviews.\n\n             Recommendation 1: We recommend that the CIO ensure that risk\n                              assessments are adequately identifying, evaluating, and\n                              documenting the level of risk to an information system\n                              based on potential threats, vulnerabilities and currently\n                              implemented or planned controls, to determine whether\n                              additional controls are needed.\n\nSecurity Plans\n\n      Requirement:\n            FISMA requires that agencies develop security plans for each system in the\n            inventory. The system security plans should be based on the agencywide plan,\n            provide an overview of the system\xe2\x80\x99s specific security requirements, and describe\n            the controls in place or planned for meeting those requirements. System security\n            plans should delineate the responsibilities, expected behavior, and training\n            requirements for all individuals who access the system, and describe appropriate\n            controls for interconnection with other systems.\n\n      Progress to Date:\n            The Board\xe2\x80\x99s Security Program requires the system owner to develop a security\n            plan based on the complete set of controls required for the system (that is, the\n            baseline controls and any additional controls identified during the risk assessment\n            process). To assist system owners, the ISO has developed security plan templates\n            for major applications, general support systems, and bundled subsystems. In\n            addition, the ISO has updated the security plan template to document whether the\n            system contains PII.\n\n             As previously described in the Periodic Risk Assessment section, system owners\n             are required to analyze the template information to ensure that controls are\n             sufficient for their systems. The baseline becomes part of the security plan.\n             Approval of a security plan signifies approval of all documents referenced by the\n             security plan and baseline. The bundled subsystem security plan requires system\n\n\n\n                                           11 of 21\n\x0c             owners to assert that all security controls provided by the control baseline have\n             been reviewed to determine that the subsystem relies upon the provided GSS\n             security controls, and that the controls satisfy all subsystem control requirements\n             with the exception of any other specific controls documented.\n\n             As part of our review of the Board\xe2\x80\x99s C&A process we judgmentally selected a\n             sample of twenty-six subsystems and minor applications that have been bundled\n             into nine major applications, and found each of the system owners of the major\n             applications had developed security plans that include the subsystems. We also\n             selected a sample of seven subsystems that had been bundled into the IT GSS and\n             verified that each had a risk assessment and a bundled subsystem security plan\n             completed.\n\n      Work to be done:\n            Full implementation of the security planning process will not occur until all plans\n            provide an overview of the system\xe2\x80\x99s specific security requirements, and describe\n            the controls in place or planned for meeting those requirements. As discussed\n            under the risk assessment section, if the control baseline and risk assessment is\n            inadequate or contains errors, the security plans will not fully describe the\n            system\xe2\x80\x99s security environment or identify other needed controls.\n\n             In addition, our security control reviews identified opportunities for the ISO to\n             enhance security plans by including technical details for the servers that could\n             affect a specific application. This enhancement would allow system owners to\n             understand the risks and mitigating factors of certain design architectures and\n             identify the software packages installed on the servers supporting their\n             applications. We will review completed security plans during future security\n             control reviews.\n\nPeriodic Testing and Evaluation\n\n      Requirement:\n            FISMA requires periodic testing and evaluation of the effectiveness of an\n            agency\xe2\x80\x99s information security policies, procedures, and practices. The evaluation\n            includes testing of the management, operational, and technical controls for each\n            system identified in the agency\xe2\x80\x99s inventory and should be performed on a risk-\n            based frequency, but not less than annually. Each system must also undergo a\n            periodic certification and accreditation to ensure that the individual responsible\n            for the system has performed activities needed to ensure that security controls are\n            commensurate with the risk and magnitude of the harm resulting from\n            unauthorized access, use, disclosure, disruption, modification, or destruction of\n            information contained in the system. A C&A should be completed before a\n            system is initially placed into operation, and every three years thereafter, of if the\n            system undergoes a significant change.\n\n\n\n\n                                            12 of 21\n\x0cProgress to Date:\n      The Board\xe2\x80\x99s security program requires the certification and accreditation of a\n      system based on a system security plan, security assessment report, and plan of\n      actions and milestones (POA&M). The security assessments are to be performed\n      by an independent certification agent and directly support the security\n      accreditation by providing authorizing officials with the information necessary to\n      make credible, risk-based decisions on whether to place an information system\n      into operation or to permit an existing system to continue its current operation.\n\n       The ISO has issued security certification review reports for the IT GSS and major\n       applications on the Board\xe2\x80\x99s inventory. Minor applications and subsystems\n       bundled into the security plans of a major application or GSS are certified with\n       the major application or GSS, and will be tested as part of that major application\n       or GSS.\n\n       To provide consistency and document the security review, the ISO has developed\n       C&A testing steps for the certification agent to follow and document their work.\n       We compared the certification test steps to the Board\xe2\x80\x99s baseline and found that the\n       test steps incorporated the baseline controls implemented by the GSS and the\n       system. The test steps included controls for applications at all impact levels (low,\n       moderate, high).\n\nWork to be done:\n      As part of our review of the Board\xe2\x80\x99s C&A process, we reviewed both the security\n      assessments for a sample of ten major applications that had been certified and\n      accredited to operate between June 2007 and March 2008, as well as components\n      of the 2007 security assessment of the IT GSS. We found a lack of necessary and\n      sufficient independent testing conducted by the certification agent that is\n      supposed to provide the system owners assurance that information security\n      controls for these systems are effectively implemented and functioning as\n      intended. The certification testing focused on validating that the system owner\n      provided correct information for controls in the baseline and that the control\n      exists, not whether the control is operating effectively. We also found that the\n      C&A test step documentation was not centrally maintained or always retained.\n      We believe that the CIO needs to ensure that security assessments include\n      necessary and sufficient independent testing to support the authorization to\n      operate, and to provide the authorizing official and the Board assurances that\n      information security controls for these systems are effectively implemented and\n      functioning as intended.\n\n       The IT GSS has been separated into nineteen components and the ISO has\n       developed individual security control baselines for each component. The ISO\n       plans to conduct reviews over the next three years on the various components and\n       subsystems. To ensure that all systems are appropriately tested, the ISO will\n       need to document a three-year review schedule for the nineteen components and\n\n\n\n\n                                     13 of 21\n\x0c             ensure that each of the bundled minor applications and subsystems will be tested\n             within the components.\n\n             In addition, the IT GSS and Management GSS security plans encompass:\n             common controls provided by the CIO and ISO offices for all Board information\n             systems; infrastructure component specific controls; and common controls\n             provided by infrastructure components to Board information systems. Since all\n             systems at the Board rely on these common controls, the ISO will need to\n             coordinate the results of the security testing with system owners.\n\n             Recommendation 2: We recommend that the CIO ensure that security\n                               assessments include necessary and sufficient\n                               independent testing to support the authorization to\n                               operate, and provide the authorizing official and the\n                               Board assurances that information security controls for\n                               these systems are implemented correctly, working as\n                               intended, and producing the desired results.\n\nPlanning, Implementing, Evaluating, and Documenting Remedial Actions\n\n      Requirement:\n            FISMA requires agencies to establish a process for addressing any deficiencies in\n            information security policies, procedures, and practices. To implement this\n            requirement, OMB has issued guidance requiring agencies to prepare and submit\n            POA&Ms for all programs and systems where an information technology security\n            weakness has been found. The POA&Ms should include all security weaknesses\n            found during any review done by, for, or on behalf of the agency, including\n            Government Accountability Office audits, financial statement audits, and critical\n            infrastructure vulnerability assessments. In addition, program officials should\n            regularly update the CIO on their progress in implementing corrective actions to\n            better enable the CIO to monitor agencywide remediation efforts and provide the\n            agency\xe2\x80\x99s quarterly POA&M update to OMB.\n\n      Progress to Date:\n            The ISO continues to ensure that divisions accurately update their division-level\n            information and has developed a centralized web interface to manage POA&M\n            items. We believe that this is a significant improvement that will assist the ISO in\n            tracking security-related issues and addressing deficiencies. Our review of the\n            quarterly POA&Ms identified that the OIG\xe2\x80\x99s security control review\n            recommendations have been placed on appropriate division POA&Ms, and the IT\n            Division\xe2\x80\x99s POA&M has been expanded to track all security related initiatives in\n            addition to security weaknesses. The ISO has stated that he regularly updates the\n            CIO on the division\xe2\x80\x99s progress in implementing corrective actions.\n\n\n\n\n                                           14 of 21\n\x0c      Work to be done:\n            Our security control reviews identified two POA&M items that had been removed\n            from the POA&M without corrective actions being documented and validated; a\n            recommendation was addressed to the system owner. As part of future security\n            assessments, we believe that the certification testing needs to ensure that\n            previously identified vulnerabilities that have been removed from the POA&M\n            have had necessary and sufficient action taken to resolve the vulnerabilities. We\n            will continue to review the Board\xe2\x80\x99s tracking and resolution of POA&M items as\n            part of our ongoing FISMA related audit work.\n\nSecurity Awareness Training and Training Personnel with Significant Security\nResponsibilities\n\n      Requirement:\n            FISMA requires that an agency\xe2\x80\x99s information security program include security\n            awareness training to inform all personnel, including contractors and other users\n            of information systems that support the agency\xe2\x80\x99s operations and assets, of the\n            information security risks associated with their activities, as well as their\n            responsibilities in complying with agency policies and procedures. FISMA also\n            requires that the CIO train and oversee personnel with significant responsibilities\n            for information security.\n\n      Progress to Date:\n            The Board requires all employees and contractors to take an annual security\n            awareness training and quiz. The quiz reinforces security articles posted\n            throughout the year on the Board\xe2\x80\x99s internal website. During the past year, the\n            ISO upgraded the training and quiz to an interactive, computer based system that\n            requires the user to be connected to the Board\xe2\x80\x99s network to participate. Upon\n            completion of the security awareness quiz, employees are required to\n            acknowledge that they will abide by all Board policies and rules that apply to the\n            Board\xe2\x80\x99s IT resources.\n\n      Work to be done:\n            In our 2007 FISMA report, we found that the ISO had developed guidance\n            regarding the identification of personnel with significant responsibilities for\n            information security, and had outlined a minimum set of training that staff should\n            receive based on their role. The ISO is currently conducting a survey of training\n            taken by individuals with significant security responsibilities. We will review the\n            Board\xe2\x80\x99s progress in identifying and providing training to individuals with\n            significant security responsibilities as part of our future security control reviews.\n\n             As previously discussed in the Policies and Procedures section, the Board\n             continues to develop policy and procedures for safeguarding PII, and during the\n             past year issued two new management policies that address privacy and\n             information security issues. The Board plans to develop an education/training\n\n\n\n\n                                           15 of 21\n\x0c             program to assist in implementing the policies and procedures. We will review\n             the education/training program as part of future FISMA related audits.\n\nDetecting, Reporting, and Responding to Security Incidents\n\n      Requirement:\n            FISMA requires agencies to develop procedures for detecting, reporting, and\n            responding to security incidents. The procedures should include steps to mitigate\n            risks from security incidents before substantial damage is done, and to notify and\n            consult with the United States Computer Emergency Readiness Team (US-\n            CERT), appropriate law enforcement agencies, and relevant OIGs. US-CERT has\n            also established requirements for incident reporting, which include priority levels\n            for categories of incidents and the timeframes for reporting each priority level.\n\n      Progress to Date:\n            The ISO continues to issue policy and procedures to inform employees of their\n            responsibilities for reporting incidents. During the past year, the ISO updated the\n            Information Security Incident Handling Guide and issued a standard template\n            form to document a suspected or confirmed theft or loss of any computers, mobile\n            devices, data storage devices or media, and restricted documents.\n\n             To reinforce employees\xe2\x80\x99 responsibilities, the ISO continues to post articles on this\n             topic on the Board\xe2\x80\x99s website as part of security awareness training. The most\n             recent Security Awareness Quiz included a review of the Permissible-Use and\n             Privacy Policy, Information Classification & Handling Guide, and Security\n             Incident Handling Guide.\n\n      Work to be done:\n            The Board\xe2\x80\x99s security program requires system owners either to complete a\n            Privacy Impact Assessment (PIA) as part of the planning process or to obtain a\n            determination from the Board\xe2\x80\x99s Legal Division that a PIA is not required. To\n            assist system owners, the Legal Division has developed draft guidance that\n            outlines the PIA requirements for those systems with PII. The guidance consists\n            of two parts: a Frequently Asked Questions section and a Privacy Impact\n            Assessment Questionnaire (PIAQ) that staff responsible for the system will fill\n            out for those systems that require a PIA or are subject to the requirements of the\n            Privacy Act. The information provided in the response to the PIAQ is used to\n            prepare the PIA. We will continue to review the Board\xe2\x80\x99s actions to complete and\n            implement the guidance as part of future security control reviews.\n\n             We will continue, as part of our ongoing FISMA-related audit work, to review\n             how the Board handles information security incidents to ensure that incidents at\n             the Board and the Reserve Banks continue to be reported to US-CERT pursuant to\n             the relevant requirements.\n\n\n\n\n                                           16 of 21\n\x0cContinuity of Operations Plans and Procedures\n\n      Requirement:\n            FISMA requires that agency information security programs include plans and\n            procedures to ensure continuity of operations for information systems that support\n            the agency\xe2\x80\x99s operations and assets. OMB\xe2\x80\x99s FISMA reporting guidance also\n            indicates that contingency planning is a requirement for certification and\n            accreditation, with annual contingency plan testing required thereafter.\n\n      Progress to Date:\n            The Board continues to conduct semiannual contingency testing. Divisions\n            participate in the semiannual contingency tests and the ISO uses the Board\xe2\x80\x99s\n            application inventory to track the systems that have been tested. During the past\n            year, the Board continued to update equipment at its contingency site, and\n            mitigate the risks that were observed during recent national disasters.\n\n      Work to be done:\n            The Board conducted a contingency test in September 2008. However, the prior\n            scheduled contingency test was cancelled due to the exigencies of the economic\n            situation at the time. The CIO based her decision on the circumstances that the\n            Board may have needed, at any time, all resources that could be available. If the\n            semiannual contingency testing becomes burdensome, the Board may want to\n            consider smaller, more focused contingency tests.\n\n             To help ensure that the contingency tests continue to provide value to the Board,\n             the CIO and ISO (in conjunction with Board staff responsible for contingency\n             planning) will need to ensure that the tests continue to be rigorous, that\n             participants are challenged by the exercises, and that the participants do not\n             become complacent. In addition, although not a requirement of SP 800-53 for\n             moderate rated systems, the Board may wish to consider capacity planning so that\n             necessary capacity for information processing, telecommunications, and\n             environmental support exists during crisis situations. We will continue to monitor\n             the contingency tests as part of our ongoing FISMA work.\n\n\n\n\n                                          17 of 21\n\x0c\x0c                                                                               APPENDIX 2\n\n\n\n\n                      BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM\n                             DIVISION OF INFORMATION TECHNOLOGY\n\n\n\n\nDATE:      September 19, 2008\nTO:        Ms. Elizabeth A. Coleman\nFROM:      Maureen Hannan /signed/\nSUBJECT:   Comments on the Office of Inspector General\xe2\x80\x99s 2008 Review of the Board\xe2\x80\x99s\n           Information Security Program\n\n\n        Thank you for the opportunity to comment on the Office of the Inspector General\xe2\x80\x99s\n(OIG\xe2\x80\x99s) review of the Board\xe2\x80\x99s information security program. We are pleased that your\nassessment of the program continues to recognize that our information security policies and\nprocesses are FISMA-compliant and that we continue to enhance the program. As noted in your\nreport, we continue to improve and enhance our security policies and procedures, tracking of\nremediation action, and security awareness training. We maintain an accurate inventory of all\nsystems and have performed certification and accreditation reviews for each system. We\ncontinue to strengthen configuration management processes and maintain an effective layered\nsecurity model as demonstrated by our most recent independent verification and validation\nexercise.\n\n       We concur with the recommendations to improve the risk assessment and control testing\nprocesses. These recommendations are consistent with our own self-assessment of the\ninformation security program and our plans to improve the program. We plan to work closely\nwith system owners over the next year to ensure risk assessments are comprehensive and we are\nevaluating tools that may be employed to assist system owners perform and maintain risk\nassessments. We have also expanded our information security compliance unit and will be\nenhancing our control testing processes.\n\n\n\n\n                                           19 of 21\n\x0c\x0c                                                                               APPENDIX 3\n\n\n\nAppendix 3 \xe2\x80\x93 Principal Contributors to the Report\nPeter Sheridan, Audit Manager\n\nRichard Allen, IT Auditor\n\nRobert Delgesso, IT Auditor\n\nSatynarayana-Setty Sriram, IT Auditor\n\nAndrew Patchan, Jr., Assistant Inspector General for Audits and Attestations\n\n\n\n\n                                            21 of 21\n\x0c'